Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. NetBackup™ Security and Encryption Guide
  3. Section III. Encryption of data at rest
  4. External key management service configuration in NetBackup
  5. Validating KMS credentials
NetBackup™ Security and Encryption Guide

Validating KMS credentials

If incorrect credentials are configured in NetBackup, communication with external KMS server may fail. To avoid such failures, you can carry out certain validations before a credential can be configured for the KMS use. If a validation check is not passed, the credential cannot be configured.

See Configuring KMS credentials.

See Checking the compatibility of KMS vendor with NetBackup.

The -validate command option is useful when the KMS vendor is listed as a supported KMS vendor in the NetBackup hardware compatibility list.

The following validations are carried out while you configure a new credential or update an existing one.

It is not recommended to configure credentials if one or more checks fail:

  • The certificate path is valid

  • The truststore path is valid

  • The private key path is valid

  • The certificates in certificate chain are readable

  • The certificates in a truststore are readable

  • The private key is readable

  • The Common Name field is not empty

  • The certificate is not expired

  • The certificate is currently valid

  • The private key matches the certificate

  • The certificates are in the appropriate order

  • The following CRL validation checks are performed, if the ECA_CRL_PATH is configured and the CRL check level is other than DISABLE:

    • The CRL directory consists of CRL files

    • The CRL check level is valid

    • The CRL path is valid

    • The available CRLs are readable

To validate KMS credentials and KMS functionality

  1. Run the following command:

    nbkmiputil -validate -kmsServer kms_server_name -port port -certPath cert_path -privateKeyPath private_key_path -trustStorePath trust_store_path

    The nbkmiputil command validates the KMS functionality including connection to the KMS server.

    It also tests operations like list keys, fetch keys, set attributes, and fetch attributes. For set attributes, you must have the 'write' permission for the KMS server. The nbkmiputil command also validates CA fingerprint on the server certificate that is exchanged through TLS handshake. nbkmiputil uses TLS 1.2 or later protocol for secure communication with external KMS server.

  2. If the check fails, contact Cohesity Technical Support.

Feedback

Was this page helpful?
Previous

Workflow for external KMS configuration

Next

Configuring KMS credentials

Feedback

Was this page helpful?